WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] Still can't get into (22 posts)

  1. Gregg Banse
    Member
    Posted 1 year ago #

    Plugin installed on a WP Network of 25 sites. Forced change of pwd. Created a new user - Super Admin. Logged out. Attempted login and was told to reset password. Clicked link, changed pwd to meet the requirements I setup. Immediately got a warning the system is under attack. Got another email telling me to reset my password again. Reset password and still can't get in. Seems to be something amiss here.

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Dean Taylor
    Member
    Posted 1 year ago #

    In the early days using the initial versions of this plugin...

    I found that testing the LSS plugin and attempting failed passwords via my single connection (read single IP address) caused some of these same issues.

    I believe this was because my IP address was in the "failed attempts" table and therefore classed my IP as "bad" and correctly forced me to change my password when I successfully entered the correct password.

    From what I read in these forums some users descriptions of problems sound like this is happening.

    I would say - after testing the plugin clear out the wp_login_security_solution_fail table.

    Maybe this is your issue - maybe not.

    I'm sure you will get more input from the plugin author in due course (a very busy guy).

    Cheers,
    Dean.

  3. Gregg Banse
    Member
    Posted 1 year ago #

    Thanks for the info. That's rather concerning if I understand you correctly, because this is a WP Network for a University. All of the users come from a single IP - so if one of them messes up, then all of us blocked. Is there a way to white list IPs?

  4. Dean Taylor
    Member
    Posted 1 year ago #

    Actually yes, there is an automatic whitelist on a per-user basis.

    It was described in a previous forum post, for your reference:

    The plugin has an automatic whitelist process. Whenever someone updates their password, the IP is stored for future reference. Notices may still get sent depending on the timing of attacks and legitimate logins, so users can make sure nothing bad is happening...

    And checking the source code I also noted the following:

    Note: saves up to 10 addresses, duplicates are not stored.

    This white-listing of IP addresses occurs on a per-user basis, these are called "verified IP's" in the code.

    So you will likely see some requests for password resets if your users are coming from the same IP, but after the password is reset - that IP is whitelisted for that user. So that user will not be troubled again when logging in from that IP.

    Please note this information is specific to version 0.35.0, things do change based on user feedback - but always with security in mind and after careful consideration by the plugin author.

    Cheers.

  5. Gregg Banse
    Member
    Posted 1 year ago #

    Hi Dean,
    Thanks again for taking the time to help. The issue is we did reset our passwords but none of us were able to login again. I know at least 2 other users on that network attempted to reset passwords but not one of them was able to get in. I will look into the white listing of IPs and see if I can clear the errors from the db today.

    Thanks

  6. Dean Taylor
    Member
    Posted 1 year ago #

    Take a backup of the table - perhaps it might be useful to diagnose what actually happened.

  7. Gregg Banse
    Member
    Posted 1 year ago #

    Right. I'll start with the table itself and the white list options. Then if not real results in there, then hope the author can stop by and lend a hand.

  8. Gregg Banse
    Member
    Posted 1 year ago #

    After looking at the logs, it's apparent the site was undergoing a botnet attack during the 30 minutes the LSS was running. Dozens of attempts from outside IPs trying to gain access using the default admin user. More to come as I dig deeper.

  9. Dean Taylor
    Member
    Posted 1 year ago #

    Expect to be attacked! It's just the norm.

    Here are some numbers from my simple no-name test installation with one user (me) which was installed the same time as LSS, you can see the increase in failure attempts over time:

    SELECT count(*), DATE_FORMAT(date_failed, '%Y-%m') FROM wp_login_security_solution_fail GROUP BY DATE_FORMAT(date_failed, '%Y-%m')
    
    Month	Failed Count
    2012-07	109
    2012-08	277
    2012-09	2848
    2012-10	359
    2012-11	2480
    2012-12	568
    2013-01	502
    2013-02	4134
    2013-03	11340
    2013-04	2979
  10. Gregg Banse
    Member
    Posted 1 year ago #

    I do!

    SO I see two tables that track failed logins.

    login_fails & then login_security_solution (not full table names). Which one can I delete our users from?

  11. Dean Taylor
    Member
    Posted 1 year ago #

    Assuming you are using the default table name
    prefix of, wp_: wp_login_security_solution_fail

    wp_login_security_solution_fail is the only table LSS currently creates anything else would likely be from another plugin.

  12. Gregg Banse
    Member
    Posted 1 year ago #

    Understood. Thanks.

  13. Gregg Banse
    Member
    Posted 1 year ago #

    Clearing out that table of entries that came from our users worked. We're now able to login again. I think what happened is because we had 3 users on the same IP address all attempting to work through the login/authentication process at the same time, it tripped the security flags and banned us all.

    Live and learn. Now I know how to resolve the issue and that's I needed. Thanks again for your help Dean.

  14. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    this is a WP Network for a University. All of the users come from a single IP

    Each computer gets a separate IP address.

  15. Dean Taylor
    Member
    Posted 1 year ago #

    Hi Daniel,

    Just to clarify I believe Lorax means the following...

    I have actually experienced this before, some corporations and educational establishments do actually proxy all users through a single IP address.

    This means to a website hosted outside of the internal network all users appear to be from a single IP address, the IP of the proxy.

    Cheers,
    Dean.

  16. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Ouch! My sympathies.

    In that case, lorax may want to take the advice in the FAQ about the server being behind a proxy, and then tweak it to just check the HTTP_X_FORWARDED_FOR for addresses from the university.

  17. Gregg Banse
    Member
    Posted 1 year ago #

    Hello Daniel and Dean,
    The setup is a publicly available server at a commercial host. The University has a single IP from it's campus to the outside world. Now that I know what to look for and how to deal with it, I can handle it.

    I've begun the process of educating our users on updating their passwords and teaching them to take their time and READ the instructions. Essentially I'm counting on user education but for those that won't (and I know I'll have some) I can now address the situation which makes my life much less stressful.

    Thank you both.

    Gregg

  18. dibbit
    Member
    Posted 1 year ago #

    I just wanted to post a note that I have had the exact same problem with this plugin as described in this thread. Ie repeatedly logged out and told to reset the password, then logged out again as soon as the password is changed.

    I also get an email telling me to email myself if I'm not me:

    Someone just logged into your 'xxxxxx' account at XXXXXX. Was it you that logged in? We are asking because the site happens to be under attack at the moment.

    To ensure your account is not being hijacked, you will have go through the 'Lost your password?' process before logging in again.

    If it was NOT YOU, please do the following right away:
    * Send an email to xxxxxxx letting them know it was not you who logged in.

    I had to delete the plugin to get back in.

    I have now switched to a different security plugin, which is a shame as yours seems like a neat plugin.

  19. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Dibbit:

    The scenario you're talking about only happens if the "attacker" is coming from the same IP address as you. This can happen for a few reasons:

    * You're the "attacker" (due to testing, forgetting your password, etc)
    * Your web server is behind a proxy
    * You've got malware on your computer
    * You're on some network (university, corporate, etc) that says you and the "attacker" are coming from the same IP. The "attacker" could be some other user(s) forgetting their passwords.

    The way to help figure out what's happening is to examine the <prefix>login_security_solution_fail table.

    --Dan

  20. dibbit
    Member
    Posted 1 year ago #

    Hi Dan

    Yes, that is exactly the scenario - I tried to login using the WordPress App on the iphone, which had an old password in it.

    Just a suggestion - surely once a password has been changed and the user logged-in again you should clear that IP as being from an attacker? Otherwise everyone who forgets their password will have to delete the plugin.

    I still think its a neat plugin though :D

  21. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Dibbit:

    I'll try to come up with some logic that will preserve security while keeping people who shot themselves in the foot from ending up in a catch 22. (Hmm... How many more mixed metaphors can I throw in?)

    --Dan

  22. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Release 0.40.0 fixes the infinite loop when the "attacking" IP address is the one the user is logging in from.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic